November 2010

November 30, 2010

It's hard not to be pleased that Ride the Lightning was named as one of the ABA Journal's Blawg 100, so forgive me this unusual blowing of my own horn. I have no idea how it came about.

But it sure was pleasant to hear about this at the end of a rotten day yesterday - it took an hour for the hotel's Tier 2 support to get me connected to the wireless network followed by the discovery of a clunking sound in the climate control system that involved a charming hour with a hotel engineer - an ineffective hour as I had to get up at 2 a.m. to figure out how to power the system down so I had a prayer of sleeping. So this was welcome news indeed.

November 23, 2010

Information Week reported this week on a recent study showing that 8 out of 10 CIOs think that using smartphones in the workplace increases the vulnerability to attack and rank data breaches as their #1 security concern. That statistic comes from a report conducted by market researcher Ovum and the European Association for e-Identity and Security (EEMA).

This is no surprise to John and I – we continually find security holes caused by smartphones in the security assessments we conduct for law firms and businesses. The report contains more statistics that are consistent with our experience. 48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business.

90% of organizations now provide, or will provide soon, smartphones to their employees. A majority said they would provide BlackBerrys (prudent, as we’ve said before, because BlackBerrys are hands down the most secure devices).

Security for smartphones remains pathetically weak. Only half of organizations authenticate their mobile device users. Within that half, 2/3 rely on user names and passwords. 18% use public key infrastructure (PKI) certificates. Only 9% employ two-factor authentication with one-time passwords. More horrifying, only 25% ensure that their smartphones are running anti-malware software.

Watch the headlines: We predict that smartphone data breaches will be commonplace by next year.

November 18, 2010

More than one third of police agencies now review applicants’ social media activity during background checks according to the first report on agencies’ social media use by the International Association of Chiefs of Police (IACP). The recent report surveyed 728 agencies.

The agencies are requesting that police candidates sign waivers allowing the examination of their social media sites and demanding that the applicants provide IDs and passwords. In some cases, text messages and e-mail logs are also being requested.

The National Fraternal Order of Police has worried that defense lawyers could use information from these sites to undercut the credibility of officers in court. Even the executive director of the Electronic Privacy Information Center (EPIC), Marc Rotenberg, has said he is uneasy about this kind of intrusiveness. If you look at some of the evidence that has been found on social media sites, it is clear that it does serve as a useful screening tool. Applicants have been rejected because of posted suicide threats, racial slurs, explicit sexual talk or photos, etc.

Like Mr. Rotenberg, I am uneasy about the extent of the intrusion – and yet I see a payoff, particularly in a field where public protection is at stake – and where we have experienced so many unfortunate incidents stemming from police officers who are prone to violence, discrimination, etc. If we could pluck some of the bad apples before giving them a badge, perhaps we wouldn’t need so many Internal Affairs officers.

November 17, 2010

Scott Falbo, who developed the iJuror app for the iPad, was kind enough to write yesterday after listening to my latest Digital Edge: Lawyers and Technology ABA podcast with Jim Calloway: Tech Toys for the Holidays. Though I've not used iJuror personally, a number of lawyers have given it very high rankings as a jury selection tool, so I included it in my list of tech toys for the holidays.

Scott most kindly gave me 10 free codes for iJuror and iCLE, an app for both the iPhone and the iPad that gives attorneys and office managers a way to track continuing legal education classes and credits. Contact me by e-mail if you are interested in one of the free codes.

November 16, 2010

I was pleased to hear yesterday from friend and colleague Andrew Hoog, the Chief Investigative Officer for viaForensics. He tells me that they have updated their free iPhone forensics white paper, which covers 13 forensics tools and provides an in-depth review of each tool assessing how effective it is in recovering data.

November 11, 2010

Wikileaks, while controversial, has carved quite a niche for itself as a whistleblower, continually proving what we all know - that policians and the military sell the public fairy tales. Having provided many a dose of gritty reality, Wikileaks often asssumes heroic stature and seems composed of a league of digital superheroes.

I've developed quite an admiration for most of what Wikileaks does, much as I am an ardent admirer of Anderson Cooper's "keeping them honest" tagline. While not without flaws, Wikileaks provides a way for dissidents and whistleblowers throughout the world to document truths that might otherwise remain unknown.

So I was very interested to read (yes, in print) a piece in Forbes proclaiming that the Swedish broadband carrier Bahnhof had confirmed that some Wikileaks servers are now hosted in its Pionen data center, converted from an underground Cold War era nuclear bunker in downtown Stockholm.

The server farm, carved out of a 100-foot-tall granite hill, has just one entrance protected by 20-inch- steel doors. The backup generators were originally desinged for German submaries. The room now holdng Bahnhof's NOC was originally intended to serve as Stockholm's civil defense center during a nuclear winter.

Would the 8,000 servers at Pionen survive a nuclear attack?

Bahnhof Chairman Jon Karlung says "I'm not sure about the people, but the machines would survive." He also says that the facility communicates this message to clients - your data is safe from all intrusions, physical or legal. "Any resemblance to a James Bond setting is purely intentional."

Which reference will inspire tonight's libation - a martini please, shaken, not stirred.

November 10, 2010

Monday's post on the new Firesheep snooping software stirred up a lot of dust - apparently its availability was not known to many. Firesheep is a Firefox extension designed to sniff out weak security and hijack web site credentials on open Wi-Fi networks. So much for computer security at Starbucks.

Thanks to my eagle-eyed husband and partner, John Simek, for finding BlackSheep (via LifeHacker), software by Zscaler that is an anti-Firesheep tool, designed to alert you whenever Firesheep is active on your local network.

Zscaler, a company specializing in security measures for cloud-based computing services, created Blacksheep to counteract Firesheep session hijacking. Once installed, Blacksheep broadcasts fake credentials to essentially fish for Firesheep installations on the network.

When Firesheep is detected, BlackSheep displays the alert in the screen capture above. The configuration of Blacksheep is simple; by default it goes fishing every 5 minutes but you can adjust it down to 1 minute. Blacksheep is a free tool and works wherever Firefox does.

November 08, 2010

Threats to our privacy just keep on coming . . . the latest security demon is Firesheep, released last month as an add-on available through Firefox.

Here's the scenario - you're nursing your favorite latte at Starbucks and logging on to your Facebook account to check on the latest party antics of your irrepressible friends. Once you're logged on, Facebook helpfully sends you a cookie used by the browser to authenticate subsequent requests. Unless the website provides end-to-end encryption - and most don't - this cookie is now available to be "sidejacked" in any open wireless network.

Someone in Starbucks has Firesheep installed. As you visit Facebook, your name (and photo) will appear on Firesheep. With a simple double-click, the snoop can now effectively watch what you are doing on Facebook - or, worse yet, act as though they were you, posting under your identity.

Firesheep is so easy that it takes the hacker out of hacking - and that's scary. There have been more than half a million downloads of Firesheep thus far according to NetworkWorld - also scary. Firesheep's creator, Eric Butler, defends his software, saying it has raised security awareness. No doubt it has, but that's hardly the point of this software. This is snooping software pure and simple and that's undoubtedly what most users intend to use it for.

Given how easy it is to operate, I hope this turns up the heat on social media sites to improve their woeful security.

Experts are questioning whether the software violates various laws,including wiretap, privacy, and computer crime laws. Stay tuned for more as privacy continues to become a quaint historical notion.

Hat tip to Jim Halberg of Nextpoint for alerting me to the story - close on his heels were Sensei's Jeff Fox and John Simek. Thanks all.

November 04, 2010

Florida Supreme Court has recently adopted new jury instructions. Note the specificity of the language below:

During deliberations, jurors must communicate about the case only with one another and only when all jurors are present in the jury room. You are not to communicate with any person outside the jury about this case. Until you have reached a verdict, you must not talk about this case in person or through the telephone, writing, or electronic communication, such as a blog, Twitter, e-mail, text message, or any other means. Do not contact anyone to assist you during deliberations. These communications rules apply until I discharge you at the end of the case. If you become aware of any violation of these instructions or any other instruction I have given in this case, you must tell me by giving a note to the bailiff.

In reaching your decision, do not do any research on your own or as a group. Do not use dictionaries, the Internet, or any other reference materials. Do not investigate the case or conduct any experiments...Do not visit or view the scene of any event involved in this case or look at maps or pictures on the Internet. If you happen to pass by the scene, do not stop or investigate.

Jurors must not have discussions of any sort with friends or family members about the case or the people and places involved. So, do not let even the closest family members make comments to you or ask questions about the trial. In this age of electronic communication, I want to stress again that just as you must not talk about this case face-to-face, you must not talk about this case by using an electronic device. You must not use phones, computers or other electronic devices to communicate. Do not send or accept any messages related to this case or your jury service. Do not discuss this case or ask for advice by any means at all, including posting information on an Internet website, chat room or blog.

While it might seem overkill, it is obvious from all the juror misconduct we've seen that we need to apply a jackhammer to drill the message home. I'll be interested to see how many states follow suit - and whether it works.

November 03, 2010

The FBI has just updated its site to include a story about a chilling case in Los Angeles involving the "sextortion" of over 230 young girls (and more victimes may be discovered). The 31-year-old California hacker, who was arrested in June, used malware to control the computers of his victims. He then searched their computers for compromising photos and used the images to demand more photos and videos from the victims.

Using spear phishing techniques and a social media site (not identified in the story), the hacker targeted his victims, sometimes appearing to them as a trusted friend or sister with a link to a scary video - when they clicked on that link, the spyware installed itself.

John and I lecture on Internet safety for children and teens and have a closet full of horror stories. Both parents and children need to be constantly aware of how hackers and predators operate - and TALK with one another. Our fear is that social media vulnerabilities will enhance opportunities for these criminals. Technology is both friend and foe.

In the meantime, we doff our cap to the excellent work of the FBI's cyber squad!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.